Trend Micro’s Rik Ferguson blogs about current security issues.

Two more rogue Facebook apps linked to Fucabook scam

UPDATE 4: 20th August Facebook have removed the six rogue apps mentioned below. Unfortunately 5 more have appeared over the course of today, they are called “Friends“, “Friends Gifts“, “Matching, “Poki” & “Your Photos” (same bat-name, different bat-app) bringing the total so far to 11. The new rogue apps take the same format as previously but use different application icons, have slightly more credible notifications to your friends and also now feature bogus notifications to the profile owner, presumably in an effort to persuade the victim to install further apps and maximise the fraudsters advertising returns.

Facebook notifications page

UPDATE 3: 19th August Rogue app number six just showed up and is unsurprisingly called “Inbox (1)”

UPDATE 2: 19th August:A fourth & fifth rogue app just surfaced, being spread by phony messages spammed out by the other rogue apps. The next applications to avoid/remove & block are called “Birthday Invitations” and “Inbox (2)” again they behave in the same manner as the others.

UPDATE 19th August: Make that “Three more rogue apps”. The rogue application “Stream” mentioned below, today started sending out notifications that lead to yet another rogue app.

Using an already compromised account, I loaded up the app page for the malicious app “Posts” today, it immediately messaged my friends with a link to the “Stream” app I have already blogged about. However, when I loaded up the “Stream” App page, it also sent out new messages, the link in the message went to an external (to Facebook) link, which in turn holds a redirection script that pushed me to another new malicious app called “Your Photos”

“Your Photos” looks exactly the same as the “Stream” and “Photos” apps, and also sends out rogue notifications pointing to the same script referenced above.

I am keeping Facebook informed of these developments as they arise and they are working hard to rectify the situation.

I have been continuing to look into the Facebook phishing/rogue application story that I blogged about yesterday, because it wasn’t at all clear to me how the application “sex sex sex and more sex!!!” was generating those messages pointing to the malicious web site.

My research has turned up two further Facebook applications which this time have quite clearly been designed for malicious activity and can be clearly linked to the fucabook phishing.

When a victim logs in in using the bogus fucabook page, after entering their password for the first time, they are prompted with a screen asking for their password again “to use the full functionality of malicious application name”, (yesterday the bogus app was called Posts, today it is called Stream).

Once this application is added, it uses the image of one of your friends (because your apps can see any info that you can see) to tell you that someone has generously sent you a meaningless graphic. It also gives you options of how to respond to this dubious gift, but no button to act on those options. Stream and Posts both look the same.

The application then goes on to send spam to all your contacts, without asking for permission of course…

The notifications sent to friends all point back to the fucabook phishingsite. Worthy of note also is the fact that both malicious applications use the same graphical icon to identify themselves. The icon itself has been lifted from the very familiar and entirely trustworthy Facebook Wall application which most users will be used to seeing in their notifications on a regular basis, adding further surface credibility to the attack.

How the application “sex sex sex and more sex!!!” got involved is still unclear, but if the app itself is not malicious, then my current best guess would be application hijacking/hacking to kickstart the phishing/malicious application cycle seen here.

So like I said yesterday, always check the URL displayed in your browser’s address bar before entering any sensitive information. Also check the true destination of a link before clicking it, by hovering your mouse pointer over it. If it looks suspicious, don’t click it. Also, if you’re a Facebook user, now would be a good time to go and review your privacy settings and clear out any applications you no longer use

65 thoughts on “Two more rogue Facebook apps linked to Fucabook scam”

I uused a new app called “Rosen Verschenken”, but no matter how many times I sent it, it never disappeared, leading me to believe it’s either a “rogue app” or a virus. It also won’t let me delete it from my apps. Now what?

there is an app called rosen verschenken and I’ve tried it before, but no matter how many times I may send the one I have, it remains on my list, leading me to believe it’s a “rogue app” or even a virus. What do you think?

hi again, just one final update – not sure if someone here addressed Facebook, but as of today i was able to go in under the “Never Allowed to Post” section, find all of the remaining problem apps, including the one with the malicious links and there was now a “Profile” link next to them which wasn’t there before; it allowed me to go directly to the app’s page, which previously couldn’t be done without “allowing” the app again, so this was extremely helpful

my question at this point is, why are they still there? i found it interesting that some of them which had no fans or users previously, now had hundreds of users and some fans, so i’m wondering if those links took me originally to a page that was created to look like “Send Your Friends a Cup of Coffee”(Sunrise, Good Morning, etc…)

couldn’t find any contact information for you Ric, so i posted this here… if you like you can email me as that is my correct email address, maybe you can make more sense of these applications, the fact that they take you off Facebook and try to install “anti-spyware” on you is worrisome but i have no idea what they are really doing… perhaps you can convince Facebook to look at these and remove them? since FB doesn’t seem to be responding to others’ reports… thanks! :)

i’m far from technically literate, but am certain there is something malicious with an application that specifically is called “Send Your Friends a Cup of Coffee”… (aka: a Sunset, a Teddy Hug, a Sunrise, etc… ALL are malicious)

upon realizing some things about application removal, ie; you need to actually find them under “Never Allowed to Post” in Application Settings and then Block them; then go back to reset your Privacy Settings, as every application accepted unchecks it and allows all of your information to be sent to ALL of your friends apps (see the story by the ACLU http://www.deseretnews.com/article/705326328/ACLU-Facebook-knows-too-much.html) i realized what was happening when some would be BLOCKED but would NOT dissappear as all of the non-malicous apps did, they still remain as of today…

i took screenshots and made a photo album to show friends what was going on, and how every time you used the “Create a Gift Application” which is supposedly the platform for “Send Your Friends a _____”, there was a third party developer way down at the bottom of the page also, and when i clicked the privacy violations link, it took me OFF facebook and tried to get me to install something… i’ve reported this to Facebook and have seen others did as well, yet they’ve done nothing… i wish i’d never allowed a single application at this point, but it’s too late… i wish others would listen… i may make a website to show what is happening, where i can post the screenshots so others can understand what is going on…